Determining anomalies and the causes of anomalies in network traffic may enable networks to function more efficiently. For example, being able to detect sudden increases or decreases in network traffic and determining who or what is responsible for the sudden changes can help ensure that information is exchanged efficiently across networks.
Denial of Service (DoS) attacks may cause network anomalies. In a DoS attack, an attacker may overwhelm, and thus render inoperable, a server by sending the server thousands or millions of requests in rapid succession. Because the server must process each and every attack request, the server may be unable to process, or only very slowly process, requests from legitimate hosts.
Further, in a specific type of DoS attack called a Distributed Denial of Service (DDoS) attack, an attacker may control a large number of compromised computers to send requests to the targeted server simultaneously. For example, an attacker may obtain control over a large number of computers using a virus. The attacker may control the infected computers and instruct them to send requests over a network to a target computer system supporting computers operated by many clients. DDoS attacks may be more dangerous because of the increased number of requests. They also may be more difficult to detect because the requests originate from multiple IP addresses rather than a single source.
As one example, attackers may use DoS and DDoS attacks against Domain Name System (DNS) servers. DNS servers receive requests that include a domain name of a website (e.g., example.com). The DNS server responds to the client with the corresponding IP address (e.g. 1.1.1.1), so that the client may access the website. DNS servers may handle millions of requests every hour from many different clients. The large volume may make detecting a DoS or DDoS attack on a DNS server problematic, because it may be difficult to separate the malicious requests from the legitimate requests.